From: hongxu Date: Mon, 16 Jun 2025 05:00:53 +0000 (+0800) Subject: libxml2: fix CVE-2025-6021 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3a6bf785656243b5adc0775f7480a1eb0e4ae4c;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git libxml2: fix CVE-2025-6021 According to [1] A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. Refer debian [2], backport a fix [3] from upstream [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6021 [2] https://security-tracker.debian.org/tracker/CVE-2025-6021 [3] https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Signed-off-by: Hongxu Jia Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..157486848b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch @@ -0,0 +1,59 @@ +From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 27 May 2025 12:53:17 +0200 +Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName + +This issue affects memory safety and might receive a CVE ID later. + +Fixes #926. + +Signed-off-by: Nick Wellnhofer + +Add '#include ' to assure the definition of SIZE_MAX +CVE: CVE-2025-6021 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0] +Signed-off-by: Hongxu Jia +--- + tree.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 7454b07..22ec11c 100644 +--- a/tree.c ++++ b/tree.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #ifdef LIBXML_ZLIB_ENABLED + #include +@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = xmlMalloc(lenn + lenp + 2); + if (ret == NULL) + return(NULL); +-- +2.34.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.3.bb index da75cbe450..4baab59186 100644 --- a/meta/recipes-core/libxml/libxml2_2.14.3.bb +++ b/meta/recipes-core/libxml/libxml2_2.14.3.bb @@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://run-ptest \ file://install-tests.patch \ file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \ + file://CVE-2025-6021.patch \ " SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"